306 Million Passwords You Should Never Use

Print Email

By one count there are more than a billion compromised usernames and passwords available on the internet to anyone who knows how to find them. That’s bad for consumers, obviously, but it also creates a headache for online services that depend on secure credentials before granting access. Your online banking account is a good example.

Unfortunately there exists only a limited number of user-friendly — i.e., easy-to-remember — passwords. Those passwords are either easily guessable by someone who wants to hack into personal accounts or they have already been stolen and are available for purchase on the internet.

Two-factor authentication can block the recycling of stolen usernames and passwords, but it is a bit cumbersome to use and has not yet achieved anything approaching widespread acceptance.

Enter a security expert named Troy Hunt who runs a data breach notification service at haveibeenpwned.com. For those who wonder what “pwned” means: it is a hacker term based on a common mistyping of “owned” and is generally synonymous with “owned.”

What Hunt has done is accumulate all the usernames and passwords compromised in more than 3.9 billion pwned accounts. You can use the site to find out if the password you want to use already has been compromised. If it has, you can still use it, but that raises the risk that a hacker may at some future date get lucky with a credential-stuffing program that cycles through lists trying to find legal combinations of usernames and passwords.

When the cybercriminals match that password with your username, they have pwned that account. And, according to Hunt, who is cited in Data Breach Today, “Credential stuffing is just becoming enormously destructive at the moment. It is a very, very hard problem.”

The good news is that Hunt has developed a database of 306 million pwned passwords related to the 1 billion compromised accounts and you can use Have I Been Pwned free for two important purposes: 1) check that your email addresses have not been pwned; and 2) check to see if a password you want to use has been pwned.

Content providers also use Hunt’s database to compare new customers’ passwords to the list of known stolen passwords and encourage customers to pick another password. The provider might also notify a new user that their choice of a password has previously been compromised.